What’s that coming over the hill? The fines of GDPR

Take your mind back to May 2018 and you are at a training event.  The presenter has outlined all the boring rules that you are going to have to follow and now have arrived at the part where it must be impressed on the audience how important it is to actually follow them. But you have heard this before in the last 12 months many times. Over and over it has been repeated. Once you hear the trip of the lips as it stutters from G – to D – to P – to R, you wait in anticipation for the inevitable. Everyone knows it’s going to come. It’s the bit about the fines being really big. The more depraved amongst us are salivating. You don’t need to listen to the words in between as all you have to hear is the peak of the sentence ‘up to 4% of global turnover…… €20 million …..’ blah blah blah goes the rest. The release is so satisfying.

But then you notice that nearly a year into this new world order has passed and it’s a sentence that has not been trotted out in a while. So your mind may start to stray a little. I wonder can I leave my customer’s personal data on the bread bin or the bus? Why not throw all that personal data out the window? The whole GDPR thing was a load of rubbish as suspected. A bit like the Y2K Bug.

The reason that it has dropped from view somewhat is that nothing big has really happened so far. If we look at the Data Protection Commission Annual Report covering 25 May to the end of 2018, five prosecutions were listed as being heard in court with minor enough fines being given by the sitting District Court Judge: the highest fine handed down was 2k for Vodafone for not taking someone off a marketing campaign. This was only in the District Court of course, small time. The worst bit for any of the companies listed in the report was the (usual) bad press and legal costs. But how many people read the DPC report? It’s hardly headline news.

There has been no big fine dropped by the Data Protection Commission – yet. It’s like the fines were a red herring. But we look a little closer at the report a different picture emerges. There are the 15 statutory inquiries (two further announced recently). So, something is going on, but why no fines yet?

There are a couple of main reasons why this is entirely understandable:

Firstly, the Data Protection Commission has had a huge expansion in the scope of its powers, ten times the budget it had in 2014 and added a huge number of staff over the past few years, so there was going to be a period of adjustment in order to give clarity to procedure and structure within this context. Secondly the statutory inquiries are no small matters. I’m talking about both the tech giants, Facebook, Twitter etc., and the very important special investigations into the Public Services Card and the ‘Surveillance by the State Sector for Law Enforcement Purposes’.

Therefore, a picture emerges which makes it clear that fines were never going to be announced on the morning of the 26 May 2018, it was always going to take some time. But we can’t wait forever. They must start sometime. That time may be coming very soon given the comments of Helen Dixon before a US Senate Hearing Committee on 1 May 2019 where she stated that fines were likely to be levied this summer and that they are likely to be ‘substantial’. What is interesting about this statement is that it indicates firstly that a decision has been made in relation to at least one of the inquiries already and that while it may not seem like it here in Dublin amidst the bluster and drizzle, it is May, which according to the calendar at least, means it’s summer. So we should expect an announcement very soon, possibly within a matter of weeks.

The next question that arises is what counts as substantial? If we look at the European context, what is meant by substantial is likely to be in the tens of millions rather than thousands. Last July, ICO in the UK fined  Facebook £500,000 for its role in the Cambridge Analytica scandal.  In January, the French fined Google €50 million and in March the Danish Data Protection Agency recommended that Taxa4x35 pay DKK 1.2 million for breaching several of the Art. 5 principles of the GDPR.

One thing to note is that just because the DPC decides to fine, does not mean that the fined party will not appeal. The announcement of a fine may not necessarily be regarded as a conclusion as this is likely to be played out in the Irish and European courts. Therefore, it’s likely that we are in the middle of a process rather than nearing an end-point.

There is no doubt that given the intense scrutiny the DPC are under (given the large amount of data monoliths  in our jurisdiction),  the size of the fine will be considered in great detail by the DPC before issuance and therefore be very instructive in the context of fines Europe-wide.

So after all this time we are nearly there, in a matter of months we should see a large fine issued in relation to breaches of data privacy legislation. If done correctly, this will be an important event in the overall context of GDPR and will prove to be a dissuasive marker for any party who does not take it seriously.